cross the vast realm of financial services and banking, big data is emerging as a weapon of mass disruption, particularly in the fast-growing market for consumer loans. One company—Chicago-based Avant—perhaps best symbolizes how that dynamic works, and how it is re-shaping an entire industry.

It’s not hard to understand why Avant has drawn more than $600 million in equity capital backing since its founding in 2012. It has opened up new markets in consumer lending by letting technology navigate past the old rules of the industry:
Avant uses advanced algorithms and machine-learning capabilities to discover credit-worthy borrowers who would not otherwise qualify for conventional loans. Avant has generated more than $4 billion in loans through its platform in a little under four years.

But, like any online lending platform, Avant knows that its virtual platform attracts both legitimate borrowers and a small population of nefarious players. Large-scale data breaches at Equifax, Yahoo, and other major companies come with a follow-on consequence: Other hackers take the stolen data and try to exploit it. For lending platforms such as Avant, that means filling out thousands of fraudulent loan applications in the hopes that a few will actually pay off.

Small wonder, then, why Avant brought in cybersecurity veteran Shyama Rose as its Chief Information Security Officer. It wanted to ensure that a company going through a hyper-growth phase can keep pace with cyber-risk management as it scales and evolves in the coming years.

So where do you start? As Rose explains, cybersecurity in the fintech world —as it is in any industry— is all about discovery. It will take some time for all of the forensics of the Equifax break-in to be revealed (the hack compromised the personal information of 143 million customer records) but when they are, they will help experts like Rose plot smart security strategy. The irony of all the complexity facing companies like Avant? The risks often lurk in their own digital backyards. “It’s more common to have a breach that involves a relatively simple flaw rather than a complex one where motivated hackers put together an intense and multipronged attack,” Rose says. “Complicated attackers want to remain very quiet [and undetected].”

SCROLL DOWN

Internal education

Rose says good security practice starts with educating the entire company about the threat of intrusions. That may mean going deep with her engineering team or giving executive management the big picture or even drawing simple analogies for employees at large. She favors the analogy of a cyber-security expert being akin to an auto mechanic, in that they both make sure your car’s brakes and lights are maintained and operate to protect you. One of Rose’s guiding principles is this: companies and organizations need to do all the basics consistently to ensure their data is protected. This means making sure everyone in the company—from the CEO to the user with the least access permissions—is doing the basics of good security management all the time, including everything from keeping systems updated to reducing attack surface to updating permissions.

“It goes back to doing security correctly and the best practices for decades,” Rose says. “Patch your public-facing systems, educate your people and don’t expose data.”
A lot has changed with both cybersecurity technology and threats over the past few decades. This year, businesses, governments and individuals were caught off-guard in May when the WannaCry ransomware attack reached an unprecedented scale, infecting more than 230,000 computers in more than 150 countries.

Regulatory hurdles

Risk management in financial services comes with added challenges: The sector is heavily regulated by various agencies and has established specific practices to protect against breaches. Those practices traditionally promote maintaining data on in-house server infrastructure, even as the broader business world moves toward cloud computing, because handing off risk to a third party is anathema to the banking industry.

“There is risk reduction and there is risk transfer, whereby risk is transferred to third parties,” Rose says. “Risk transfer partially averts reputational and financial damage and a lot of companies are employing this strategy in the age of cloud services and infrastructure.”

Security breaches have become more commonplace, Rose explains, which has forced companies to create a strong incident-response plan to manage the crisis. That often involves enlisting a third party to help guide decisions. It’s critical that the crisis-management team and executive leadership set the overall tone for the company and its response to the security breach.

SCROLL DOWN

Constant learning

One thing has remained constant over the past 20 years of cyber security: The challenges never stop and vigilance is critical, especially when it comes to high-value targets such as banks. The variety and scale of sophisticated actors (do you MEAN attackers?) has grown in proportion to the ubiquity of commerce and now includes unfriendly nation-states, hacktivists, organized crime and cyber gangs.

The power of computing has increased, which means it’s now a lot easier for cyber thieves of all stripes to explore and try out new ways to penetrate networks and steal information. Worse, the number of devices now connected to the Internet has also made it increasingly difficult to monitor suspicious traffic to detect the break-in symptoms.

“The way I think about how fancy the technology is now is that there’s always going to be something wrong with it,” Rose says. “We always have to understand there is no end-state to security. It is a never-ending process of finding and fixing vulnerabilities.”

To learn about secure network solutions built for your business, visit Juniper Networks.

This article was written by WIRED Brand Lab in partnership with Juniper.